Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Table of Contents

Apache Log4j2 version <2.15.0 is a part of the following products:

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
  • Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
  • Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
  • Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Collaborator for Teamwork Cloud (release  2021x Refresh1, 2021x Refresh2)
  • MagicDraw (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)

 

Apache Log4j2 version <2.15.0 is a part of the following products, however it is not used for logging:

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Cameo Collaborator for Teamwork Cloud (release  2021x19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)


Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

  1. Download the latest log4j 2.15.0 patched version .
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

...

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.propertiescsm.propertiescameoea.properties) on the classpath to prevent lookups in the log event message.

 

For collaboration tools (Magic Collaboration StudioCameo Collaborator for Teamwork Cloud, Teamwork Cloud)

Option 1

You may prevent  lookups in the log event message by adding parameter via command line or in Web Application Platform setenv.sh / setenv.bat properties file.

...

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

 

The following products and versions are NOT affected:

CATIA Magic portfolio

  • Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Teamwork Cloud (release 19.0) 
  • Cameo Collaborator for Teamwork Cloud (release 19.0) 
  • MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)

...